Thycotic’s Cyber Security Publication

Create a strong password security policy in 9 steps

January 10th, 2017

Here’s the bad news, your end users are lazy. You’ve seen it all… sticky notes on computer screens, computers left unlocked while people are out grabbing coffee, and simply not following your corporate security policies at all. Take a look at the latest data form SplashData announcing the 2015 edition of its annual “Worst Passwords List”. The two top ranked passwords are — YET AGAIN — “123456” and “password”. How many of YOUR colleagues and end users use these passwords every day to protect your corporate data?

People are hard to teach and hard to retrain out of shortcut habits. Let us help you educate. These are the 9 steps to company-wide password security. And, we put them together in an easy to remember acronym: GET STRONG.

1. Go with encryption: Passwords cannot be left in plain text ever and especially not in an Excel document. Always store passwords with encryption.

2. Escape complexity: Focus on teaching your end users to use longer and more easily remembered passwords, like password phrases. Don’t let them get bogged down with having to remember special character requirements.

3. Teach employees: Continued training is critical and is the most important step to your policy being implemented. Make sure your users understand their role, prepare quarterly reviews, and make it fun with incentives.

4. Size matters: The longer the password the harder for the hacker to break. It’s simple, make human passwords at least 8 characters long and systems passwords 12-50 characters.

6. Rotate often: Don’t let those human passwords go unchanged for more than 90-180 days. And for system passwords, they need to be changed every 30-90 days. Setting a reminder is essential to ensure they are rotated timely. Note: In order to do this, you must use a password manager. Forcing a user to pick a new password themselves leads to things like patterns in passwords.

7. Omit duplicates: Use a unique password for each of your accounts. The same password should never be used more than once!

8. No cheating: Remembering a long password can be difficult, but don’t allow password hints. These just make it easier for hackers to get in.

9. Get a vault: Start using a trusted password manager to enforce strong password best practices. This way, users can always generate long and complex passwords, never have to remember all their passwords, and if you use a vault for your IT team, you can find one that automatically changes your admin passwords. When it comes to IT, automation is key to preventing a breach!

You know password security is important — Now it’s time to test to see how you score!

The Web Password Finder meets these key challenges and helps showcase to management the success of your Security Policy Program:

With our Weak Password Finder tool, you can run the tool today to establish a baseline of your existing security policies. Then, after each of your security training sessions, you can rerun the tool to see if your security training has been effective – providing you with measurable results of your program!

Does forcing your users to update their password every 30 days help or hurt?

Just like measuring your security awareness program, you can also measure how effective forced password rotation is on your network. Run this tool every 30 days, record the results, and compare the reports every month to see if there is measurable improvement in the security of your policies!

Jordan True

Jordan is a social media strategist, digital community manager and a lover of all things IT. She currently manages the Social Media Program at Thycotic and loves to connect with technology communities online and at enterprise IT events. Addicted to the outdoors, you can find Jordan on the running trails in her free time or sharing the latest InfoSec buzz on Twitter @ThycoticJordan.